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We claim: 

1 1 . A method of forwarding a packet to a destination comprising: 



2 examining a header of said packet to determine a private destination address; 

3 determining a private address of a private remote sub-endpoint of a tunnel, 

4 said private sub-endpoint being associated with said private destination 

5 address; 

6 determining a public address of a public remote sub-endpoint of said tunnel; 

7 encapsulating said packet, resulting in an encapsulated packet, to indicate a 

8 public address of a public local sub-endpoint of said tunnel as a source 

.§ address and said public address of said public remote sub-endpoint of said 

f|) tunnel as a destination address; and 

1 1 forwarding said encapsulated packet to a node in a carrier network. 



J 2. The method of claim 1 wherein said tunnel is a point to multipoint tunnel. 

j| 3. The method of claim 1 wherein said determining said private address of said first 

2 remote sub-endpoint of said tunnel comprises consulting a routing table to discover 

3 an address associated with said private destination address of said packet. 

1 4. The method of claim 6 wherein said determining said public address of said 

2 second remote sub-endpoint of said tunnel comprises consulting a static address 

3 resolution protocol table to discover an address associated with said private address 

4 of said first remote sub-endpoint of said tunnel. 

1 5. The method of claim 1 further comprising determining a private address of a first 

2 local sub-endpoint of said tunnel. 

1 6. The method of claim 5 wherein said determining said private address of said first 

2 local sub-endpoint of said tunnel comprises consulting a forwarding table to discover 

3 an address associated with said private address of said first remote sub-endpoint of 

4 said tunnel. 
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7. A carrier router comprising: 

a backbone router including: 

a public network interface for connecting to a public data network; and 

a sub-endpointfor a tunnel having a network address in an address 
space of said public data network; and 

a customer virtual router including: 

a private network interface for connecting to a private data network; 
and 

a sub-endpointfor said tunnel having a network address in an address 
space of said private data network. 

8. A carrier router comprising: 

a private network interface; 

a public network interface; 

a processor operable to: 

receive a packet at said private network interface; 

examine a header of said packet to determine a private destination 
address; 

determine a private address of a private remote sub-endpoint of a 
tunnel, said private sub-endpoint being associated with said private 
destination address; 

determine a public address of a public remote sub-endpoint of said 
tunnel; 



13586ROUS01U 



21 



13 encapsulate said packet, resulting in an encapsulated packet, to 

14 indicate a public address of a public local sub-endpoint of said tunnel 

15 as a source address and said public address of said public remote sub- 

1 6 endpoint of said tunnel as a destination address; and 

17 forward said encapsulated packet to a node in a public network via said 

18 public network interface. 

1 9. A computer readable medium containing computer-executable instructions which, 

2 when performed by a processor in a carrier router, cause the processor to: 

,13 examine a header of said packet to determine a private destination address; 

4 determine a private address of a private remote sub-endpoint of a tunnel, said 

yj> private sub-endpoint being associated with said private destination address; 

m 

^6 determine a public address of a public remote sub-endpoint of said tunnel; 

!** 

•7 encapsulate said packet, resulting in an encapsulated packet, to indicate a 

3p public address of a public local sub-endpoint of said tunnel as a source 

jj$ address and said public address of said public remote sub-endpoint of said 

1 0 tunnel as a destination address; and 

1 1 forward said encapsulated packet to a node in a carrier network. 

1 10. A method of receiving a packet, said packet having public source and destination 

2 addresses and private source and destination addresses, said method comprising: 

3 receiving said packet from a node in a carrier data network; 

4 forwarding said packet to a first tunnel sub-endpoint having said public 

5 destination address; 

6 at said first tunnel sub-endpoint, removing said public source and destination 

7 addresses from said packet; 

8 forwarding said packet to a second tunnel sub-endpoint; and 
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9 at said second tunnel sub-endpoint, forwarding said packet to a device having 

10 said private destination address. 

1 1 1 .A computer readable medium containing computer-executable instructions which, 

2 when performed by a processor in a carrier router, cause the processor to: 

3 receive said packet from a node in a carrier data network; 

4 forward said packet to a first tunnel sub-endpoint having said public 

5 destination address; 

1^ at said first tunnel sub-endpoint, remove said public source and destination 

7 addresses from said packet; 

9 

8 forward said packet to a second tunnel sub-endpoint; and 

ru 

# at said second tunnel sub-endpoint, forward said packet to a device having 

|0 said private destination address. 

HI 

P 12. A method of adding a given carrier router to a virtual private network, said virtual 



if private network described by a plurality of tunnel definitions, each of said tunnel 

'3 definitions defining tunnels between sub-endpoints of existing carrier routers, said 

4 method comprising: 

5 adding a public network address of a sub-endpoint of said given carrier router 

6 as a destination address in each of said plurality of tunnel definitions to create 

7 a plurality of amended tunnel definitions; and 

8 adding a new tunnel definition where said public network address for said 

9 sub-endpoint of said given carrier router is a source address in said new 

1 0 tunnel definition and public network addresses for said sub-endpoints of said 

1 1 existing carrier routers are destination addresses in said new tunnel definition. 

1 13. The method of claim 1 2 further comprising distributing said plurality of amended 

2 tunnel definitions and said new tunnel definition to said existing carrier routers and 

3 said given carrier router. 
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14. The method of claim 13, where said sub-endpoint of said given carrier router is a 
first sub-endpoint and said given carrier router has a second sub-endpoint with a 
private network address, said method further comprising adding an association of 
said private network address of said second sub-endpoint to said public network 
address of said first sub-endpoint to an existing Address Resolution Protocol table to 
give rise to an amended Address Resolution Protocol table. 

15. The method of claim 14 further comprising distributing said amended Address 
Resolution Protocol table to said existing carrier routers and said given carrier router. 

16. A computer readable medium containing computer-executable instructions which, 
when performed by a processor in a network management console, cause the 
processor to: 

add a public network address of a sub-endpoint of a given carrier router as a 
destination address in each of a plurality of tunnel definitions to create a 
plurality of amended tunnel definitions; and 

add a new tunnel definition where a public network address for a sub-endpoint 
of said given carrier router is a source address in said new tunnel definition 
and public network addresses for sub-endpoints of said existing carrier 
routers are destination addresses in said new tunnel definition. 



